CVE-2021-24737: 
WordPress vulnerability analysis and mitigation

The vulnerability CVE-2021-24737 affects the WordPress plugin wpDiscuz versions below 7.3.2. This security flaw was discovered by Phu Tran from techlabcorp.com and was publicly disclosed on September 13, 2021. The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue that affects admin-level users (WPScan).

The vulnerability stems from improper sanitization and escaping of Follow and Unfollow messages before they are output on the page. This security flaw exists even when the unfiltered_html capability is disallowed. The vulnerability has been assigned a CVSS score of 3.5 (low severity) and is categorized under CWE-79, falling into the OWASP Top 10 category A7: Cross-Site Scripting (XSS) (WPScan).

The vulnerability allows high-privilege users to perform Stored Cross-Site Scripting attacks through the plugin's Follow and Unfollow message functionality. When exploited, the vulnerability could enable attackers to inject malicious scripts that would persist in the database and execute when other users view the affected pages (WPScan).

The vulnerability was fixed in wpDiscuz version 7.3.2, released on September 19, 2021. It's important to note that after updating to version 7.3.2, existing payloads will continue to work until the settings are saved again with the new version installed. Users are strongly advised to update to version 7.3.2 or later and resave their settings to ensure complete mitigation (WPScan).

Initially, when contacted on May 18th, 2021, the vendor did not consider this a security issue but agreed to implement filtering in a future update. After the issue persisted through version 7.3.0 and 7.3.1, it was escalated to the WordPress Plugins Team, leading to public disclosure and eventual resolution in version 7.3.2 (WPScan).